Oracle Application Express


Oracle Application Express is a web-based software development environment that runs on an Oracle database. It is fully supported and comes standard with all Oracle Database editions and, starting with Oracle 11g, is installed by default as part of the core database install.
APEX can be used to build complex web applications which can be used in most modern web browsers. The APEX development environment is also browser-based.

Releases

Oracle Application Express can be installed on any Oracle database from version 9.2 or higher, and starting from Oracle 11g it is installed with the database by default. APEX 4.0 and higher can be installed on an Oracle 10.2.0.3 or higher database. APEX 5.0 and higher can be installed on all editions of the Oracle database, 11.1.0.7 or higher with a valid Oracle Database Technical Support agreement; it can also be used with Oracle Database 11g Express Edition, but is supported through the Oracle Technology Network discussion forum, and not through Oracle Support Services.
Product NameVersionReleasedNotes-
HTML DB1.52004First release.-
HTML DB1.62004Added themes.-
HTML DB2.02005Added SQL Workshop.-
Application Express2.1January 2006HTMLDB was renamed to APEX. Version 2.1 of APEX was bundled with the free Oracle Express Edition database.-
Application Express2.22006Packaged Applications.-
Application Express3.02007This version featured several new features, including PDF Printing, Flash charting and Access Application Migration.-
Application Express3.0.1July 2007This version could also be installed into an Oracle XE database.-
Application Express3.1Spring 2008This included a new major feature known as Interactive Reporting. Also added support for BLOB data type.-
Application Express3.22009Forms conversion.-
Application Express4.0June 2010Some notable features are declarative Dynamic Actions and Plugins. Also added Websheets and RESTful Web.-
Application Express4.1August 2011Notable new features included improved error handling, use of ROWID for updates, a data upload feature for end-users, and improved WebSheets.-
Application Express4.1.1February 2012Notable new features included new theme and various templates.-
Application Express4.2October 2012Notable new features such as application builder for mobile, mobile and responsive themes, and HTML5 support.-
Application Express4.2.1December 2012Bug Fixes.-
Application Express4.2.2April 2013Bug Fixes, Improved PDF printing, new Survey Builder packaged application.-
Application Express4.2.3September 2013This is a cumulative patch set for Application Express 4.2.0, Application Express 4.2.1, and Application Express 4.2.2.-
Application Express4.2.4December 2013This is a cumulative patch set for Application Express 4.2.0, Application Express 4.2.1, Application Express 4.2.2 and Application Express 4.2.3.-
Application Express4.2.5April 2014This is a cumulative patch set for Application Express 4.2.0, Application Express 4.2.1, Application Express 4.2.2, Application Express 4.2.3 and Application Express 4.2.4.-
Application Express4.2.6September 2014This is a cumulative patch set for Application Express 4.2.0, Application Express 4.2.1, Application Express 4.2.2, Application Express 4.2.3, Application Express 4.2.4 and Application Express 4.2.5.-
Application Express5.0April 2015Notable features are focused on developer productivity and improving the User Interface of user applications. This version introduces Page Designer, a browser-based IDE which provides drag and drop layouting of page components, property editor, and much more, reducing the need to go from page to page to make changes. Version 5.0 also introduces Universal Theme, a responsive user interface for user applications which can easily and extensively be customized using Template Options and Theme Roller.-
Application Express5.0.1July 2015This is a cumulative patch set for Application Express 5.0.0.-
Application Express5.0.2October 2015This is a cumulative patch set for Application Express 5.0.0 and Application Express 5.0.1.-
Application Express5.0.3December 2015Application Express 5.0.3.-
Application Express5.0.4July 2016This is a cumulative patch set for Application Express 5.0.0 and Application Express 5.0.3-
Application Express5.1December 2016Notable features include a new "Interactive Grids" component which provides an editable grid, Oracle JET-based charting, updated Universal Theme with Live Template Options and RTL support, several UX enhancements, updates to Packaged Apps, and three new Productivity Apps: Quick SQL, REST Client Assistant, and Competitive Analysis.-
Application Express5.1.1March 2017This is a cumulative patch set for Application Express 5.1.0-
Application Express5.1.2June 2017This is a cumulative patch set for Application Express 5.1.0 and Application Express 5.1.1-
Application Express5.1.3September 2017This is a cumulative patch set for Application Express 5.1.0 - Application Express 5.1.2-
Application Express5.1.4December 2017This is a cumulative patch set for Application Express 5.1.0 - Application Express 5.1.3-
Application Express18.1.0May 2018Oracle has released the latest version of APEX and keeping in line with their naming convention Apex has jumped from version 5.1.4 to 18.1- Application Express 5.1.4
Application Express18.2.0September 2018reworking of "Create Page" wizard, ability to upgrade Font APEX, sample data sets enhanced with other languages.
Application Express19.1.0March 2019Bug fixes, new features like REST-Enabled Forms, Dark Mode, Form Component, updated jQuery and oJet, enhanced JavaScript API, Interactive Grid, data-loading and charts-
Application Express19.2.0.00.18November 2019Introducing Faceted Search, a new component that enables you to quickly search and filter your data like never before. Empower your users to see data in new ways, and discover new insights, effortlessly, with just a few clicks.-
Application Express20.1.0.00.13April 2020This version includes the following features:
APEX + Redwood: The user interface of APEX and the App Builder has been refreshed to align with Redwood, Oracle's new user experience design system.
Faceted Search Enhancements: Allowing implement a cascading list of values, conditional facets, and compact count display
Friendly URLs: The URL syntax for APEX apps has been simplified to allow for friendlier URLs at runtime.
Improvements in Deployments and Exports: Automatic Backups, Export App as Zip and One-Click Remote App Deployment.
Native PDF Printing: You can now print PDF files directly from Interactive Grids.
Mega Menus: Render the navigation menu as a collapsible floating panel that displays all navigation items at once.		-

Background

Application Express has gone through many name changes since its inception in 2000. Names include:
APEX was created by Mike Hichwa, a developer at Oracle, after development of his previous project, Web DB, started to diverge from his original vision. Although APEX shares some functionality with Web DB, it was developed from scratch and there's no upgrade path from Web DB to APEX. When tasked with building an internal web calendar, Hichwa enlisted the help of Joel Kallman and started development on a project called Flows. Hichwa and Kallman co-developed the Web Calendar and Flows, adding features to Flows as they needed them to develop the calendar. Early builds of Flow had no front-end so all changes to an application had to be made in SQL*Plus via inserts, updates and deletes.
APEX is used internally by Oracle to develop some of its support sites. The AskTom knowledgebase and online store both run on APEX. The Metalink support site ran on APEX for some time before it was eventually replaced by an Oracle ADF solution.

Advantages and disadvantages

Advantages

While APEX has existed since 2004 in one form or another, it has recently been included in the new category of application development platforms called Low Code. These Low Code environments can trace their origins to 4GL programming languages and rapid application development tools. Since APEX was originally marketed as a RAD tool, this progression is a logical one. APEX allows the easy building of web applications with no code. Where the requirements are more complex, APEX allows the extension of the Low Code objects through a declarative framework. This framework lets the developer define custom logic and business rules as well as create an enhanced user interface. The developer can do this through the inclusion of SQL, PL/SQL, HTML, JavaScript, or CSS as well as APEX plug-ins. So APEX permits developers to go from no code to low code to more code.

Security

There is a common misconception that the abstracted nature of APEX applications results in a relatively secure user environment. However, APEX applications suffer from the same classes of application security flaws as other web applications based on more direct technologies such as PHP, ASP.net and Java.
The main classes of vulnerability that affect APEX applications are: SQL injection, Cross-site scripting, and Access Control.
APEX applications inherently use PL/SQL constructs as the base server-side language. As well as accessing data via PL/SQL blocks, an APEX application will use PL/SQL to implement authorization, and to conditionally display web page elements. This means that generally APEX applications suffer from SQL injection when these PL/SQL blocks do not correctly validate and handle malicious user input. Oracle implemented a special variable type for APEX called Substitution Variables and these are not safe and lead to SQL Injection. Where the injection occurs within a PL/SQL block an attacker can inject an arbitrary number of queries or statements to execute. Escaping special characters and using bind variables is the right way to code to ensure no XSS and SQL injection.
Cross-Site Scripting vulnerabilities arise in APEX applications just like other web application languages. Oracle provides the htf.escape_sc function to escape user data that is displayed within a rendered HTML response. The reports that APEX generates also provide protection against XSS through the Display As setting on report columns. Originally the default was for reports to be created without any escaping of the columns, although recent versions now set the column type to escape by default. Column definitions can be queried programmatically to check for columns that do not escape the value.
To control access to resources within an APEX application a developer can assign authorization schemes to resources. These must be applied consistently in order to ensure that resources are appropriately protected. A typical example of inconsistent access-control being applied is where an authorization scheme is set for a Button item, but not the associated Process that is performed when the button is clicked. A malicious user can perform the process without requiring the actual Button to be accessible.
Since APEX 4.0, the Application Builder interface provides some limited assessment of the security posture through the Advisor utility.

Third-party libraries

Developers may improve and extend their APEX applications by using third-party libraries that APEX comes standard with. Among them are , , , , and others. Experts say it is an advantage of applying the latest APEX patches that the external libraries which come with APEX carry an update, too. However, many of the libraries come out with newer versions more frequently than there are APEX patches.

APEX and Oracle Database Express Edition (XE)

Oracle Application Express can be run inside Oracle Database Express Edition, a free entry-level database. Although the functionality of APEX isn't intentionally limited when running on XE, the limitations of the database engine may prevent some APEX features from functioning. Also, Oracle XE has limits for CPU, memory and disk usage.